Lessons learned from MOOYAH’s experience
This post contains the text from the White Paper: How Franchises Can Protect Their Brand Through PCI Compliance. Download the PDF below.
We live in a world where data breaches are becoming more common every day, and no organization is exempt from being targeted by hackers. Fortunately, there are measures that each organization can take to better protect themselves from cyber criminals and minimize the effects of an otherwise devastating breach. The PCI DSS was established to make sure businesses that transmit, store, or process cards are doing so securely.
Franchises need to take special care to protect themselves against cyber criminals because as your organization adds more franchisees, you also add more access points to would-be hackers. Unlike small businesses like a mom-and-pop shop, the damage to brand reputation is not contained in one location because customers do not differentiate between individual franchisees and the franchise as a whole—to them, it’s all one entity.
One franchise in particular, MOOYAH Burgers, Fries, & Shakes, has taken important steps to secure their sensitive information and implement a franchise-wide PCI program. This white paper includes advice on communicating the importance of a PCI program to your franchisees, common misconceptions about PCI, and tips from Cody Connatser, MOOYAH’s Manager of Operations Services, on what MOOYAH has accomplished in the PCI DSS space and what franchises can do to protect their brand image.
Data Breaches and PCI Compliance
COSTS OF A DATA BREACH
It’s easy to fall into the trap of thinking that your organization is sufficiently prepared to withstand a hacker’s attack, when in reality you may be overlooking critical security measures. SecurityMetrics PANscan® is a software that searches for unencrypted payment card data on networks, and a 2019 study found that 85% of PANscan users did not encrypt all their payment card data. This means two out of three users essentially made cyber criminals’ jobs much easier. Your franchisees should verify that all their payment card information is encrypted, and not just a portion of it.
Another point to stress to your franchisees is that the cost of a data breach can be expensive. There are fees from several different sources, including processor non-compliance fees, card brand non-compliance fees, card brand compromise fees, forensic analysis costs, card replacement costs, notification costs, security update costs, and more.
These costs can run anywhere from a few thousand dollars to millions of dollars. It’s a wise investment to protect yourself now rather than run the risk of breaking the bank after a breach.
HOW TO BECOME COMPLIANT
In order to become compliant in the most basic scenario for a small business (processing fewer than 20,000 transactions annually), businesses must complete these four steps:
- Identify PCI requirements that apply (PCI scope)
- Pass a Self Assessment Questionnaire (SAQ)
- Pass quarterly vulnerability scans (where applicable)
- Report compliance
As a franchisor, you can share these four steps with your franchisees when they ask you what is needed to become PCI compliant. These steps obviously require some time and effort, but an experienced PCI company can help provide guidance for your franchisees and walk them through the process of becoming compliant.
Without PCI compliance, organizations are opening the door for cyber criminals to obtain credit card information.
COMMON MISCONCEPTIONS ABOUT PCI FOR FRANCHISES
Your franchisees may exhibit resistance to becoming PCI compliant because of the time and effort required. As the franchisor, you may even feel reluctant to implement a PCI program or maybe you feel doubtful that your program will have much success. Here are some of the most common misconceptions that we have heard over the years along with some responses to these misconceptions:
“IT’S UNFORTUNATE IF ONE FRANCHISEE GETS BREACHED, BUT IT SHOULDN’T HAVE ANY MAJOR EFFECTS ON THE BRAND AS A WHOLE.”
This has been proven to be untrue; a breach does in fact affect the entire brand. As stated previously, your customers do not differentiate between individual franchisees and the brand as a whole—it is one in the same to them.
“I DON’T NEED TO WORRY IF MY FRANCHISEES ARE COMPLIANT OR NOT; THAT’S THEIR JOB.”
Unless you’re an extremely well-established name, you’re going to have a problem attracting new franchisees if your reputation has been tarnished with a breach. It’s in your best interest as the franchisor to ensure that your PCI program is being implemented throughout the franchise.
“MY EQUIPMENT IS MARKED AS PCI COMPLIANT, SO THAT’S ALL I HAVE TO DO TO REACH COMPLIANT STATUS.”
This is a marketing tool that a lot of hardware companies will use—they label their terminals or gateways as PCI compliant because they were built in a PCI compliant manner. Although having PCI compliant solutions is required, the equipment itself doesn’t get a business fully compliant.
“PCI COMPLIANCE IS A ONCE-A-YEAR THING. I DON’T NEED TO WORRY ABOUT IT THE REST OF THE YEAR.”
Implementing PCI practices throughout the year is crucial to protecting data. Make securing your sensitive information a top priority to achieve PCI compliance, not the other way around. By maintaining a culture of security in your organization on a daily basis, PCI compliance will take care of itself.
“BECOMING PCI COMPLIANT IS TOO CONFUSING SO I’M NOT GOING TO WORRY ABOUT IT. A DATA BREACH WON’T HAPPEN TO ME ANYWAY.”
It’s understandable if your franchisees feel like validating PCI compliance is confusing, but it doesn’t have to be. A PCI compliance provider that can help hold your franchisees’ hands through this process makes it much easier to understand. Not every organization is going to get breached, true. But the less you do to protect your data, the easier it becomes for hackers to access your secure data.
Cody Connatser, Operations Specialist at MOOYAH, shared his experience about working with SecurityMetrics to become PCI compliant:
“We realized that without PCI compliance the last couple of years, we were opening the door to credit card theft, which can cost hundreds of thousands, if not millions, of dollars when you factor in those types of damages. You’re also looking at customer trust going down the drain, and that of course impacts our brand reputation as a whole.
“With over 100 stores launched, we knew it was time to look more closely into our PCI compliance initiative. We had previously been working with a company that really didn’t understand how to streamline this process, and better yet explain it to our franchisees. PCI compliance seems overwhelming to a franchisee—all they know is that it protects credit cards, but what do they have to do? After all, their POS says they’re PCI compliant.
“In addition to this, we at Franchise HQ were unsure of how to get our franchisees PCI compliant. We needed guidance from experts in the industry. Unless we talked to someone in the industry like SecurityMetrics, it’s kind of a different language—even for our IT department. You need to work with someone who deals with PCI compliance on a daily basis.
Program Management Tools
“SecurityMetrics provided tools for PCI compliance. Your franchisees need to understand that a PCI-compliant POS is just one piece of become PCI compliant. SecurityMetrics worked with us and let us know ‘OK, you also need A, B, and C.’ They guided us through the process and allowed us to view weekly and monthly webinars to address all of our franchise community. This was a big deal because they allowed us to explain our issues from our point of view, and they addressed these issues from an operations perspective, not from an IT perspective.
“They also provided a portal to allow us to maintain a streamlined timeline to make sure that all our franchisees were striving to obtain PCI compliance. This also allowed us to see if they were filling out the right SAQ and if they were passing their scans. It’s not a one-time thing—this is an ongoing process. Today we still have stores that fall out of the scans, but they are working to achieve it.
“You can’t afford to slip up. If a franchise slips up even one time, they often go out of business. I don’t know anyone that can keep up with close to $1 million in fines and stay in business.
“In addition to these tools, SecurityMetrics also provided us with a corporate program management team to help us manage our business. They were there every step of the way. That was a big thing for us—it was a step-by-step process until the program was implemented. They explained the compliance process to us, and the knowledge and experience that they provided was beyond anything we’ve seen with any other company.
“It became easier to explain PCI compliance because it was no longer a different language and pages upon pages of compliance terminology. They were here to support us every single day.
SecurityMetrics provides knowledge and experience so your franchisees can better understand the complexities of PCI compliance.
“Today, the majority of our brand is PCI compliant, and we implemented it within our budget. SecurityMetrics worked with us to make sure we didn’t break the bank. And lastly, we found a partner for PCI compliance for the future as we work towards 200 stores. We trust SecurityMetrics on a day-to-day basis to ensure that we, as a company, are PCI compliant for now and in the future.”
KEYS TO PROGRAM SUCCESS
Education and open communication is the best way to get your franchisees on board with data security and PCI compliance. At the very least, you can make sure your franchisee’s data footprint is minimized and that customer card data is secure. Follow these three steps to help educate your franchisees on the importance of PCI compliance:
- Set goals at a franchise level for PCI and data security
- Determine program requirements for franchisees
- Define deadlines, incentives, and penalties for program participation
Once you have completed these three steps, it’s imperative to create a clear communication plan to get the word out to your franchisees. Your franchisees can’t meet the requirements you’ve established if they don’t know what they are. Make it clear to your franchisees that this is something that they need to do.
Some organizations have put a penalty system in place. For example, if a franchisee doesn’t have a firewall in place, they get fined. Other organizations have focused on the peace-of-mind aspect. For example, through SecurityMetrics service guarantee, a franchisee is eligible for a data security reimbursement up to $100,000 if they ever are breached.
Whatever approach you take should show your franchisees that PCI compliance is something that benefits the entire organization.
A great way to communicate your PCI plan to your franchisees is through multiple touch points, such as email, phone, statements, or newsletters. If you have a franchise newsletter, it’s a good idea to include a data security section to help your franchisees be more secure.
TOOLS FOR FRANCHISEES
It’s important to understand that your franchisees will all be at different levels of compliance and security. When selecting a PCI vendor, find a partner that has the tools necessary to meet the varying needs of your franchisees. These tools include SAQs, vulnerability scans, managed firewalls, and security awareness training.
It’s also imperative to find a PCI vendor that has enough staff to provide quality customer support whenever you or your franchisees need it. If your franchisees quickly receive answers to their questions, you will see reductions in both franchisee frustration and your support workload.
Another important tool a PCI vendor can provide is a program management dashboard. This enables you to track and analyze the enrollment and compliance rates of your franchisees. For example, SecurityMetrics Partner+ Portal includes a dashboard that allows you to quickly track, manage, and monitor the compliance status of your franchisees.
You could theoretically try to manage your program through spreadsheets, but that makes things much more difficult—an online dashboard will make your life much easier.
Your franchisees likely don’t have the time and resources to manage their PCI compliance. Aligning yourself with a qualified PCI vendor will ensure your franchisees have the tools they need to get PCI compliant and allow you to easily manage them year-round.
Gary Glover, Vice President of Assessments at SecurityMetrics, sums it up very nicely: “The cultivation of a year-round PCI compliance and security culture is imperative to avoid simple mistakes.”
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.